davejal davejal - 9 months ago 63
SQL Question

How secure is laravel 5.1?

After reading about sql injection I wonder how secure it is to create apps in Laravel and how to test if your security meets today's standards?


I've developed a few Laravel applications and found them to be pretty secure in my eyes.

I ran a variety of penetration tests, OWASP ZAP scanner, sqlsus and 5+ tools including bbqsql and similar things for DB pen tests, nmap for port scanning, then switched ZAP to attack mode to perform various XSS and CSRFs and found no vulnerabilities from Laravel itself - just a couple of things from my server itself which I patched up.

It's important to say that no application is 100% secure as it depends a lot on how you do things.

However, Laravel does do a pretty good job out of the box by protecting you from:

  • SQL injection: if you use Eloquent queries these will keep you safe. But you will be vulnerable if you use DB::raw() queries as these can open you up to injection.

  • CSRF: Laravel takes care of this with CSRF tokens that it checks on each POST request so make sure you use them, essentially this protects you from someone changing the nature of the request, i.e from POST to GET.

  • XSS: First sanitise user input. Variables are escaped using the blade syntax {!! !!}, which resolves to <?= e($foo) ?> inside your HTML code.

This is a pretty short overview of Laravel security. Once you start opening yourself up with file uploads etc it can be a little bit more tricky, additionally doing unsafe things in PHP.

This article here, might be an interesting read to go a little more in depth with the above.

In short, I've found Laravel to be secure from all the attacks I've ever run by using Eloquent and sanitising input where required, along with the correct use of blade syntax and the CSRF token.